Context-aware network on a data exchange layer

ABSTRACT

There is disclosed in one example a data exchange layer (DXL) broker, including: a hardware platform including a processor; and instructions encoded in a memory to instruct the processor to communicatively couple to a DXL fabric configured to operate a one to-many (1:N, N&gt;1) publish-subscribe fabric; provide an interface to authenticate and register DXL endpoints with the DXL broker; and provide DXL messaging, including maintaining a routing table of registered DXL endpoints; receiving from a first registered DXL endpoint a one-to-one (1:1) request for an endpoint of the DXL fabric, wherein the endpoint is not a registered DXL endpoint of the broker; and publishing the 1:1 request to the DXL fabric.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. Non-Provisional applicationSer. No. 14/912,750 filed 18 Feb. 2016, entitled “Context-Aware Networkon a Data Exchange Layer,” which is U.S. 371 National Phase Applicationof PCT/US2013/076570, filed Dec. 19, 2013, entitled “Context-AwareNetwork on a Data Exchange Layer,” which claims priority to U.S.Provisional Application 61/884,007 filed 28 Sep. 2013, entitled “DataExchange Layer,” and 61/884,047 filed 28 Sep. 2013, entitled “Sharing aSingle Persistent Connection to Access Multiple Remote Services.” All ofthe above related applications are incorporated herein by reference intheir entirety.

FIELD OF THE DISCLOSURE

This application relates to the field of enterprise security, and moreparticularly to context-aware computing over a data exchange layer.

BACKGROUND

An enterprise service bus (ESB) is a software-based network architecturethat provides a medium of data exchange over a service-orientedarchitecture. In some embodiments, ESB is a special case of aclient-server software architecture in which clients may route messagesthrough the server.

Software, binaries, executables, advertising, web pages, documents,macros, executable objects, and other data provided to users(collectively “executable objects”) may include security flaws andprivacy leaks that are subject to exploitation by malware. As usedthroughout this specification, malicious software (“malware”) mayinclude a virus, Trojan, zombie, rootkit, backdoor, worm, spyware,adware, ransomware, dialer, payload, malicious browser helper object,cookie, logger, or similar application or part of an applicationdesigned to take a potentially-unwanted action, including by way ofnon-limiting example data destruction, covert data collection, covertcommunication, browser hijacking, network proxy hijacking orredirection, covert tracking, data logging, keylogging, excessive ordeliberate barriers to removal, contact harvesting, unwanted use ofpremium services, and unauthorized self-propagation. In some cases,malware may also include legitimate software that includes inadvertentsecurity flaws that cause or enable malware behavior. “Malware behavior”is defined as any behavior that qualifies an application as malware orgrayware. Some prior art systems are configured to identify and blockmalware, for example by maintaining databases of known malware.

In addition to executable objects, computing devices may encounterstatic objects, which are not intended to change the operating state ofa computer. As a class, executable objects and static objects may bereferred to simply as “objects.” An enterprise security concern is theclassification of objects' malware status.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is best understood from the following detaileddescription when read with the accompanying FIGURES. It is emphasizedthat, in accordance with the standard practice in the industry, variousfeatures are not drawn to scale and are used for illustration purposesonly. In fact, the dimensions of the various features may be arbitrarilyincreased or reduced for clarity of discussion.

FIG. 1 is a network diagram of a context-aware network with dataexchange layer (DXL) capability according to one or more examples of thepresent specification.

FIG. 1A is an example where a domain master is a joint threatintelligence (JTI) server according to one or more examples of thepresent specification.

FIG. 1B is a network diagram of select elements in a context-awarenetwork according to one or more examples of the present specification.

FIG. 2 is a network diagram disclosing a distributed architectureaccording to one or more examples of the present specification.

FIG. 3 is a network diagram of an example DXL network operating across atraditional enterprise boundary according to one or more examples of thepresent specification.

FIG. 4 is a network diagram of a context-aware network according to oneor more examples of the present specification.

FIG. 5 is a block diagram of a DXL broker according to one or moreexamples of the present specification.

FIG. 6 is a block diagram of a CIM server according to one or moreexamples of the present specification.

FIG. 7 is a block diagram of a domain master according to one or moreexamples of the present specification.

FIG. 8 is a block diagram of a client according to one or more examplesof the present specification.

FIG. 9 is a flow diagram illustrating evaluation of an object in ahierarchical manner according to one or more examples of the presentspecification.

FIG. 10 is a flow diagram of a method performed by a client according toone or more examples of the present specification.

FIG. 10A is a flow diagram of a method performed by a JTI server inconnection with the method of FIG. 10 according to one or more examplesof the present specification.

FIG. 11 is a flow diagram of a method of a JTI server servicing areputation request according to one or more examples of the presentspecification.

FIG. 12 is a flow diagram of an enhancement to the method of FIG. 10Aaccording to one or more examples of the present specification.

DETAILED DESCRIPTION OF THE EMBODIMENTS SUMMARY

In an example, there is disclosed a data exchange layer (DXL) broker,including: a hardware platform including a processor; and instructionsencoded in a memory to instruct the processor to communicatively coupleto a DXL fabric configured to operate a one to-many (1:N, N>1)publish-subscribe fabric; provide an interface to authenticate andregister DXL endpoints with the DXL broker; and provide DXL messaging,including maintaining a routing table of registered DXL endpoints;receiving from a first registered DXL endpoint a one-to-one (1:1)request for an endpoint of the DXL fabric, wherein the endpoint is not aregistered DXL endpoint of the broker; and publishing the 1:1 request tothe DXL fabric.

EXAMPLES OF THE DISCLOSURE

The following disclosure provides many different embodiments, orexamples, for implementing different features of the present disclosure.Specific examples of components and arrangements are described below tosimplify the present disclosure. These are, of course, merely examplesand are not intended to be limiting. Further, the present disclosure mayrepeat reference numerals and/or letters in the various examples. Thisrepetition is for the purpose of simplicity and clarity and does not initself dictate a relationship between the various embodiments and/orconfigurations discussed.

Different embodiments may have different advantages, and no particularadvantage is necessarily required of any embodiment.

In an increasingly heterogeneous software ecosystem, enterprises mayface new and enhanced security challenges and malware threats. Thiscreates a situation in which real-time exchange of threat intelligencebetween otherwise autonomous network elements is desirable. Increasedsharing may improve security between devices that otherwise operate intheir own security “silos.”

The system and method of the present specification addresses suchchallenges by providing standardized data representations across datasources, and safeguarding the quality of data shared by disparatesources.

Context-aware computing (CAC) is a style of computing in whichsituational and environmental information about people, places andthings is used to anticipate immediate needs and proactively offerenriched, situation-aware, and usable functions and experiences.Context-aware computing relies on capturing data about the world as itis at the moment the system is running.

According to one or more examples of the present specification, a“context-aware network” is an adaptive system, including for example asecurity system, of interconnected services that communicate and shareinformation to make real-time, accurate decisions by individual productsand/or as a collective. According to an example, network, endpoint,database, application and other security solutions are no longer tooperate as separate “silos” but as one synchronized, real-time,context-aware and adaptive, security system.

In an example, multiple network elements are connected to one anothervia a data exchange layer (DXL), which is a type of ESB that is suitablefor exchange of security-related messages among other things. As usedherein, “network elements” include any type of client or server (e.g., avideo server, a web server, etc.), routers, switches, gateways, bridges,load-balancers, firewalls, inline service nodes, proxies, networkappliances, processors, modules, or any other suitable device,component, element, or object operable to exchange information in anetwork environment. More specifically, DXL endpoints are networkelements that interact over a DXL ESB. DXL endpoints may be distributedacross a customer network and communicate in “real-time” in a trusted,secure, and reliable fashion. This may provide increased automation andimproved security services.

In an example, DXL endpoints are deployed at strategic locations withina network to intercept ongoing business activity, inspect and interpretit, and ultimately determine whether it is authorized, meaning forexample that it is consistent with enterprise security policies. In somecases, network elements make such decisions “in-band,” momentarilysuspending the business activity, and in “machine-real-time,” atlatencies low enough to avoid a significant user-perceptible delay inthe business activity.

In some cases, network elements may have independent access to securitydata only by way of their own independent analysis and observation, andvia scheduled definition updates, which may come, for example, on aweekly basis as updated malware definitions.

Because network elements are often heterogeneous and may be deployed,particularly in a modern network, in a temporary or ad hoc fashion,real-time intelligence becomes a challenge, particularly when “in-band”decisions are necessary. Furthermore, an enterprise may procure securitysolutions in a piecemeal fashion, so that one product cannot alwaysassume the presence of another product. For example, there may not be asingle, pre-defined repository of threat intelligence for networkelements to consult, and regular malware definition updates may notinclude lately discovered threats. Representation and interpretation ofdata offer yet another challenge. Network elements may use disparate,proprietary data representations. Thus, for example, even an antivirusscanner may not be configured to share newly-discovered malwareinformation with a network-based security device. Trustworthiness ofinformation may be yet another challenge in other contexts. In otherwords, even if an antivirus scanner and network-based security deviceare configured to share security intelligence, each may not have a meansof validating intelligence received from the other.

In an example, the present specification provides a data exchange layer(DXL), which may operate on a lightweight messaging-based communicationsinfrastructure such as ESB and be configured to allow endpoints to sharecontextual data. DXL may be one element of a larger security-connectedframework, which is an adaptive system, such as a security system, ofinterconnected services that communicate and share information to makereal-time, accurate security decisions by individual security productsand/or as a collective. According to an example, network, endpoint,database, application and other security solutions need not operate asseparate ‘silos’ but as one synchronized, real-time, context-aware andadaptive security system.

In an example of a security-connected framework, a real-time,bi-directional communications fabric is provided for enabling real-timesecurity management. Specifically, certain existing messaginginfrastructures are based on one-to-many communications(publish-subscribe). The publish-subscribe capabilities may besignificantly enhanced, so that communication can be one-to-one (forexample, peer-to-peer), or bi-directional (for example, query-response).Advantageously, the framework can scale to millions of concurrentconnected clients, so that any connected client can reach any otherconnected client in real-time or near real-time regardless of thephysical location of the connected clients. To this end, the DXLabstraction layer is provided between different types of connectedclients, and acts as an intermediary communications medium.

A DXL domain master may combine and reconcile the client propertiesreceived from a plurality of sources into a single record of truthaccording to a common information model (CIM), containing a single valueor values. This may include determining that a first data source is moretrusted than a second data source, and using the data from the firstdata source, or otherwise reconciling a plurality of data into a singlerecord.

The reconciled data may be stored in a domain database, and a domainmaster may publish the client properties on the DXL. A DXL broker maythen forward the published message to DXL endpoints, which receives asingular and most accurate reconciled value. Subsequently, a client maysend a DXL request over the DXL, inquiring about the properties of a DXLclient. The DXL broker receives this request and automatically routes itto a domain master. The domain master retrieves the client propertiesfrom its domain database and sends a DXL response message, which the DXLbroker receives and forwards to the DXL client. Note that while the“publish-subscribe” transactions in this example are one-to-many,one-to-one “request-response” transactions are natively provided on thesame fabric.

Further adding to extensibility, new or better data sources may beincorporated, by integrating them with domain master 160. This may becompletely transparent to clients 120 and other DXL endpoints.

Additional features of a DXL broker may include, by way of non-limitingexample: service and location registries to lookup registered endpoints,available services, and their locations; publish/subscribe (1:N),request/response (1:1), device-to-device (1:1), and push notificationmessaging interfaces; optimized message passing between brokers;destination-aware message routing; and broker-to-broker failover.

Advantageously, domain masters need not be concerned with how each DXLendpoint treats a published message. Rather, that can be a matter ofenterprise security policy.

FIG. 1 is a network diagram of a context-aware network 100 with DXLcapability. According to this example, a plurality of clients 120connected to a DXL enterprise service bus (ESB) 130. DXL ESB 130 is anexample of a DXL fabric, and may be provided on top of an existingnetwork, such as a local area network (LAN). Client 120 may be anysuitable computing device, including by way of non-limiting example acomputer, a personal digital assistant (PDA), a laptop or electronicnotebook, a cellular telephone, an IP telephone, an iPhone™, an iPad™, aMicrosoft Surface™, an Android™ phone, a Google Nexus™, or any otherdevice, component, element, or object capable of initiating voice,audio, or data exchanges within a communication system, including asuitable interface to an end user, such as a microphone, a display, or akeyboard or other terminal equipment. In the example of FIG. 1, client120-1 is an embedded device, such as a network security sensor. Client120-2 is a virtual machine. Client 120-3 is a laptop or notebookcomputer. Client 120-4 is a desktop computer.

DXL ESB 130 may be any type of physical or virtual network connectionover which appropriate data may pass. At present, there is no fixed orglobal standard for an ESB, and the term, as used herein, is intendedbroadly to encompass any network technology or topology suitable formessage exchange. In one embodiment, message queuing telemetry transport(MQTT) messages are exchanged on port 8883. In some cases, clients 120,DXL broker 110, domain master 160, database 162, JTI server (FIG. 1A),proxy 170 (FIG. 1A), and threat intelligence service 180 (FIG. 1A), allby way of non-limiting example, may be referred to as “networkelements.”

Network elements configured to operate on or with DXL ESB 130 may bereferred to as “DXL endpoints.” These may include, in an example,clients 120, DXL broker 110, and domain master 160.

DXL broker 110 may be configured to provide DXL messaging services overDXL ESB 130, such as maintaining DXL routing tables and deliveringmessages.

DXL broker 110 provides DXL services 190, which in an example arenetwork services operable to provide DXL ESB 130 to DXL endpoints.

Domain master 160 may be configured to communicatively couple to DXLbroker 130. Domain master 160 may maintain domain data in a databasesuch as database 162. In this example, domain master 160 and database162 are shown as two distinct entities, but it should be noted that manyconfigurations are possible. For example, database 162 may reside on adisk drive local to the domain master 160, or may be separately orremotely hosted. Database 162 is disclosed by way of example, and may beany suitable data store, including a structured or relational database,distributed database, or flat file by way of non-limiting example.

By way of operative example, a client such as laptop 120-3 connects tothe LAN and receives a new IP address. At this point, several propertiesof laptop 120-3 become knowable to other network elements, including byway of non-limiting example, its IP address, information about itsoperating system, and the logged-on user's username. For ease ofreference, these are referred to as “client properties” throughout thisexample. Client properties are embodiments of security-intelligencedata, and are of interest to virtual machine 120-2, which has previouslysubscribed the security-intelligence data topic with domain master 160.

Client properties may be reported to the DXL simultaneously by twodistinct sources, namely by laptop 120-3, and by network security sensor120-1. However, network security sensor 120-1 may fail to report ausername value. It may also report an OS value different from thatreported by the laptop 120-3. This may be, for example, because networksecurity sensor 120-1 is sensing data remotely, and may not be able todetermine these values as reliably as laptop 120-3 itself.

Domain master 160 is responsible for the “client system” data domain,which includes client properties. When laptop 120-3 and client 120-1publish a message containing the client properties, both messages arefirst routed to DXL broker 110. DXL broker 110 may then forward theclient properties to domain master 160.

Domain master 160 may combine and reconcile the client propertiesreceived from the two sources into a single record of truth, containinga single value for IP address, operating system, and usernamerespectively. Specifically, it may determine via its own logic andperhaps prior configuration that laptop 120-3 is trusted more for OSvalue than network security sensor 120-1. Therefore, domain master 160may ignore the “operating system” value received from network securitysensor 120-1 when it conflicts with laptop 120-3.

The reconciled client properties are persistently stored in domaindatabase 162. Domain master 160 may then publish the client propertieson DXL ESB 130. DXL broker 110 may then forward the published message tovirtual machine 120-2, which receives a singular and most accurate valuefor client properties.

Subsequently, client 120-4 may send a DXL request over DXL ESB 130,inquiring about the client properties for laptop 120-3. DXL broker 110receives this request and automatically routes it to domain master 160.Domain master 160 retrieves the client properties from domain database162 and sends a DXL response message, which DXL broker 110 receives andforwards to client 120-4. Note that while the “publish-subscribe”transactions in this example are one-to-many, the “request-response”transactions are one-to-one.

In some embodiments, DXL may be characterized by messaging that allowsloose integration or coupling of multiple network elements. Loosecoupling may reduce the assumptions each DXL endpoint must make aboutother DXL endpoints, such as the presence of certain capabilities,hardware, or software. According to one or more examples of the presentspecification, DXL is a ‘Plug-and-Play’ API, and may facilitatecontext-aware and adaptive security by enabling context to be sharedbetween products.

Further according to one or more examples of the present specification,DXL is an elastic architecture with multiple deployment options and ishighly scalable. DXL may also be designed with openness in mind andenable third-party integration.

DXL ESB 130 may be based on a two-layer protocol. The “bottom” layer isa secure, reliable, low-latency data transport fabric that connectsdiverse security elements as a mesh, or in a hub-and-spokeconfiguration. The “top” layer is an extensible data exchange frameworkthat is configured to facilitate trustworthy data representation.

In an example, DXL endpoints connect to DXL ESB 130. Each DXL endpointis assigned a distinct identity, and authenticates itself to DXL ESB 130upon startup, for example via a certificate or other secure token. DXLendpoints may establish one-to-one communications via DXL ESB 130, forexample by sending a DXL message addressed to a DXL endpoint with aspecific identity. This enables DXL endpoints to communicate with eachother without having to establish a point-to-point network connection.In an example, this is analogous to a person-to-person phone call.

In another example, DXL may provide a publish-subscribe framework inwhich certain DXL endpoints “subscribe” to messages of a certain type.When a DXL endpoint “publishes” a message of that type on DXL ESB 130,all subscribers may process the message, while non-subscribers maysafely ignore it. In an example, this is analogous to a podcastsubscription service. In yet another example, DXL may provide arequest-response framework. In this case, one DXL endpoint may publish arequest over DXL ESB 130. An appropriate DXL endpoint receiving therequest may provide a response. Advantageously, the response may be usedby more than just the DXL endpoint that originally published therequest. For example, if a client 120 publishes a request for anobject's reputation, JTI server 150 may respond by publishing thereputation. Thus, other clients 120 that find instances of the objectmay benefit from the response. For example, clients 120 may maintain acomprehensive cache of reputations published on the network. If a client120 then newly encounters an object that is known on the network, client120 already has an up-to-date reputation for the object.

DXL ESB 130 may be implemented using diverse software elements,patterns, and constructs suited to the specific infrastructureconnecting the security elements. For instance, in a physical enterprisenetwork, messaging middleware consisting of multiple interconnectedmessage brokers may be deployed, where endpoints connect to the closestbroker. In a virtual network infrastructure, the fabric may leveragehypervisor provided channels.

As noted above, DXL ESB 130 may be configured to provide real-time,trusted exchange of data among otherwise-autonomous,dynamically-assembled DXL endpoints. Thus, in an example DXL ESB 130'sconceptual framework may comprise two virtual components:

-   -   a. Broad collections of security-relevant data are categorized        into “data domains.” Each data domain is a closely related        sub-collection of entities, attributes, and inter-relationships.    -   b. Domain master 160 is a data provider assigned ownership of        data for each domain. Domain master 160 acts as an intermediate        trusted data broker between first-hand sources of raw        “intelligence” data, and data consumer endpoints such as clients        120. Intelligence data may flow from data producer endpoints to        the appropriate domain master 160, and then be relayed to data        consumer endpoints such as clients 120. Note that in this        example, the concepts of “data producer” and “data consumer” are        contextual roles, and not necessarily physical devices. A client        120 may be a data producer in one context and a data consumer in        another context.

In an example, domain master 160 may establish first-hand trustrelationships with data-provider endpoints. This enables it to gauge thequality (including accuracy and reliability) of data (such as reputationdata) it receives from any particular source. When duplicate, piecemealdata is received from multiple (independent) sources, such as differentclients 120, domain master 160 may reconcile the data and resolveconflicts to derive a single best-known record of truth (such as, forexample, a reputation) for each object. This ensures that clients 120receive consistent data.

Domain master 160 may also transform data into a well-understood,standardized representation. This representation may be published on DXLESB 130, so that all clients 120 receive usable data.

Advantageously, DXL endpoints do not need to know what device originateddata, or make point-to-point connections to other DXL endpoints, evenwhen one-to-one communication is necessary. Rather, DXL client softwareor DXL extensions enable a DXL endpoint to use its own local APIs forquerying and receiving data. To increase network efficiency, DXLendpoints may cache received data locally, which data may be trusteduntil it is superseded by an authorized DXL message. For example,clients 120 may subscribe to published reputations for objects. When anobject reputation is received, either in response to a request-responsetransaction, or in a publish-subscribe model, client 120 may store thereputation in a local database. The reputation may be trusted untilsuperseded, because DXL master 160 is configured to publish a reputationupdate whenever it receives an updated reputation. Thus, frequentindividual data requests from clients 120 become bulk datasubscriptions, as published reputations are available to all clients 120that subscribe to reputations. Advantageously, this may reduce thelatency of data exchanges.

In yet another example, DXL broker 110 provides a discovery and locationservice that informs DXL endpoints of the specific domain master 160 towhich data query and subscription requests should be routed.

Advantageously, the example DXL architecture described herein isflexible. For example, individual data sources may connect anddisconnect from the network without affecting data consumers. Domainmaster 160 may simply rely on whatever data sources are available.Furthermore, the framework makes no assumptions about the physicallocation or specifically how domain master 160 or domain endpoints aredeployed or configured. So long as each network element provides validDXL messaging, traffic is routed correctly.

In the example above, DXL master 160 is a logical singleton, but itshould be noted that DXL master 160 may be implemented, for example, asa set of distributed service components, where each component serviceseither a subset of the domain, or provides a local data replica of aservice running elsewhere. Such configurations may enhance scale,performance, and reliability. This may also allow services to betransparently relocated.

Further advantageously, the DXL framework provided herein is extensible.For example, data about new entities and relationships may be providedsimply by creating new data domains. New attributes and relationshipsfor existing data domains may be provided simply by defining new messagetypes for that domain.

In an example, domain master 160 has responsibility over the domain ofmalware data. To distinguish messages from the “malware” domain, such asnetwork status and device maintenance, a namespace may be defined foreach. For example, the reputation domain may use the “MALWARE”namespace, the network status domain may use the “STATUS” namespace, andthe device maintenance domain may use the “MAINT” namespace. Thus, ifdomain master 160 is the master for the reputation domain, it knows toprocess messages within the malware namespace, and to ignore all others.This allows a designer for each domain to assign a set of messageswithout having to consult existing domains to avoid name collisions formessages.

For example, both the reputation domain and a device maintenance domainmay have use for a message such as DOWNLOAD_UPDATES. In the case of thereputation domain, this message may be an instruction to retrieveupdated malware definitions from JTI server 150. In the devicemaintenance domain, this may be an instruction to download operatingsystem updates from a vendor.

Clients 120 may be configured to exchange data from several DXL domainsand may subscribe to messages on both the reputation domain and thedevice maintenance domain. Thus, client 120-1 for example, may parse andrespond to a DXL message DOWNLOAD_UPDATES by requesting bulk reputationupdates. In one embodiment, the message requesting malware updates mayitself be a DXL message. In some cases, for example where the updatesare large and are not needed in real-time, delivery of the updates maybe completed outside of the DXL architecture to reserve a DXL forlightweight, high-speed messaging.

Client 120 may also know that it should parse and respond to MAINT:DOWNLOAD_UPDATES by contacting a vendor's servers and requestingupdates.

In the case where domain master 160 is configured as the master for thereputation domain, it may know to ignore all DXL messages that are notin the MALWARE namespace. Note, however, that a single physical devicemay be configured to act as a domain master for multiple domains, inwhich case traffic in different namespaces may be passed to differentsubroutines. In some embodiments, DXL broker 110 may be configured tosynthesize reports from a plurality of DXL network devices such asclients 120 that are given lesser privileges, such as “suggest”privileges on DXL ESB 130.

Further adding to extensibility, new or better data sources may beincorporated, by integrating them with domain master 160. This may becompletely transparent to clients 120 and other DXL endpoints.

Additional features of a DXL broker 110 may include, by way ofnon-limiting example: service and location registries to look upregistered endpoints, available services, and their locations;publish/subscribe (1:N), request/response (1:1), device-to-device (1:1),and push notification messaging interfaces; optimized message passingbetween brokers; destination-aware message routing; and broker-to-brokerfailover.

Advantageously, domain master 160 need not be concerned with how eachDXL endpoint treats a published message. Rather, that can be a matter ofenterprise security policy.

Additional DXL features for clients 120 may include, by way ofnon-limiting example: local message bus integration with an API todiscover brokers, authenticate to DXL, and send and receive cataloguedmessages.

Additional general features of context-aware network 100 may include, byway of non-limiting example: DXL broker and client provisioning andmanagement of domain master 160; policy-based authorization of endpointsonto DXL ESB 130; secure SSL-based communications; proxy support foroff-premises communications; and domain master appliances pre-configuredwith DXL broker functionality (thus joining domain master 160 and DXLbroker 110 into one device).

FIG. 1A is an example where domain master 160 is a joint threatintelligence (JTI) server 150 providing, for example, object reputationservices on the “reputation” domain according to one or more examples ofthe present specification. JTI server 150 may communicatively couple toDXL broker 110. JTI server 150 may be a middleware appliance configuredto provide reputation services, maintain metadata about network objects(such as reputation, prevalence, and intelligence, by way ofnon-limiting example), call out to external scanners for an object'sreputation classification, and provide telemetry data to threatintelligence service 180. JTI server 150 may communicate with a globalthreat intelligence service 180 via a proxy 170, which may includeeither communication over DXL ESB 130, or over a more traditional IPnetwork.

Advantageously, JTI server 150, in connection with threat intelligenceservice 180, may provide crowd-sourced object reputations. JTI server150 may also provide administrator overrides. These may includeaggregation of administrator override policies from several enterprises,for whether an object should be run on a network and whether acertificate is considered “clean.” These may also include client-sideresults, such as an aggregate of end-user decisions of whether to allowor block an object.

In another example, JTI server 150 may track prevalence data, includingthe prevalence of an object on context-aware network 100.

In yet another example, JTI server 150 may serve as a telemetryaggregator/proxy to gather and send to threat intelligence service 180telemetry from endpoints that do not directly interact with threatintelligence service 180. JTI server 150 may also contribute filemetadata to threat intelligence service 180, such as hashes, digitalsignature data, and file attributes.

JTI server 150 may receive several such messages from different clients120, and in some cases, the messages may conflict with one another. Uponreceiving an initial report from a client 120 identifying an object asmalware, domain master 160 may publish a warning that the other clientsshould give additional scrutiny to the object, such as deep scanning orrequesting user verification before executing the object. In otherembodiments, domain master 160 may provide such information in responseto a request for an object reputation from a client 120.

If additional clients 120 identify the object as malware, then aconfidence indicator may pass a threshold. JTI server 150 may thenpublish a higher-level, such as command-level, message identifying theobject as malware. If JTI server 150 receives multiple conflictingreports from different clients, a synthesis algorithm may provide anappropriate action. For example, if one or a few clients are found to beoutliers, reporting a status different from a large majority of otherclients, the outliers may be discarded. This synthesis algorithm mayalso account for specific clients' past reputations for accuratereporting, or for a reputation assigned based on installed hardware orsoftware.

In an embodiment where domain master 160 is a JTI server 150, thisexample illustrates the value of designating a hierarchy or other schemafor assigning DXL endpoint privileges. For example, with respect todesignating an object as malware, clients 120 may have “suggest”privileges. This may mean, for example, that clients 120 may identify anobject that they believe to be malware, and may either direct a specificmessage to JTI server 150, or may publish a general message identifyingthe object as malware. Because clients have only “suggest” privileges onDXL ESB 130, other DXL endpoints that subscribe to reputation updatesmay treat the identification as less authoritative than anidentification from a DXL network element with elevated privileges suchas “assign” privileges. Privileges, and especially elevated privilegessuch as “assign” privileges, may be authenticated by a securecertificate provided as part of a DXL message.

FIG. 1B is a network diagram of select elements in a context-awarenetwork 100 according to one or more examples of the presentspecification. As seen in FIG. 1B, an additional DXL broker 110-2 may beadded to service endpoints 120-3 and 120-4. DXL broker 110-2 maycommunicate with a second domain master 160-2, which may share domaindatabase 162 with domain master 160-1.

FIG. 2 is a network diagram disclosing a distributed architectureaccording to one or more examples of the present specification. In thisexample, DXL broker 110-1 may be designated as the “hub,” while DXLbrokers 110-2, 110-3, 110-4, and 110-5 may be designated as “spokes.” inan example, all DXL traffic that passes through a spoke will beforwarded to the hub, which will distribute the traffic to other spokes.Designation of a DXL broker 110 as the hub may be accomplished via anysuitable means, such as selecting the hub based on MAC ID, IP address,or network proximity to domain master 160.

If DXL broker 110-1 goes offline, another hub may be at leasttemporarily needed. In that case, another hub may be elected. When DXLbroker 110-1 comes back online, it may resume its duties as a hub, ormay act as a spoke, depending on network topology and designconsiderations.

In another example, spokes may form a temporary mesh network uponcommunicatively connecting to DXL broker 110-1. In yet otherembodiments, DXL brokers 110 may be configured to operate full time in amesh configuration.

Additional extensibility may be provided by bridging DXL ESB 130 acrossdisparate networks, enabling data to be exchanged over larger networks,including the Internet.

FIG. 3 is a network diagram of an example DXL network operating across atraditional enterprise boundary according to one or more examples of thepresent specification. In this example, first enterprise 302 includes aDXL broker 110-2 which communicatively couples to a domain master 160and enterprise switch master (ESM) 330. In one embodiment, domain master160 and ESM 330 may be coupled over a traditional (non-DXL) networkinterface 312. Domain master 160 may connect to an IP network 310. IPnetwork 310 may be any communicative platform operable to exchange dataor information emanating from endpoints, including, by way ofnon-limiting example, an Internet architecture providing end users withthe ability to electronically interact, a plain old telephone system(POTS), which end users could use to perform transactions in which theymay be assisted by human operators or in which they may manually keydata into a telephone or other suitable electronic equipment, any packetdata network (PDN) offering a communications interface or exchangebetween any two nodes in a system, or any local area network (LAN),metropolitan area network (MAN), wide area network (WAN), wireless localarea network (WLAN), virtual private network (VPN), intranet, or anyother appropriate architecture or system that facilitates communicationsin a network or telephonic environment.

Second enterprise 304 also includes a DXL broker 110-1. DXL brokers 110may communicate with each other over DXL ESB 130. In this example, DXLESB 130 is physically provided by IP network 310, but DXL traffic may bedistinguished from other types of Internet traffic such as hypertexttransfer protocol (HTTP), and other user-centric network traffic, forexample because it is provided on a different port or protocol.

DXL broker 110-1 may also be coupled, for example, to a network serviceprovider (NSP) 340, antivirus agent 350, enterprise firewall 360, andadvanced threat detection (ATD) appliance 370.

ATD 370 may be a dedicated appliance, or a general-purpose computingmachine running advanced threat detection software. In one example, ATD370 is configured to analyze objects without existing reputations and toassign those objects threat levels based on the analysis.

As this figure demonstrates, DXL ESB 130 may be used to integrateheterogeneous or otherwise unrelated network architectures, even acrossdifferent enterprises. In an example, second enterprise 304 may be athird-party JTI service provider delivering ATD services to firstenterprise 302.

FIG. 4 is a network diagram of a context-aware network 400 according toone or more examples of the present specification. In an example,context-aware network 400 is substantially similar to context-awarenetwork 100. However, in context-aware network 400, domain master 160 isa common information model (CIM) server 410.

According to one or more examples of the present specification, CIM isan open and extensible logical database schema designed to hostdifferent types of situational and environmental information. CIM mayprovide robust representation of new objects, building blocks, and datatypes. Core entities of CIM include, by way of non-limiting example,assets, identities, applications, and locations.

CIM may provide many-to-many relationships and building blocks thatdrive multiple use cases. CIM may also support advanced datavisualization. Advantageously, according to one or more examples of thepresent specification, CIM scales massively and is open and extensible,allowing different product groups and third parties to develop new dataextensions.

In an example of a CIM use case, a “location” represents a collection ofnetwork elements forming a logical location mapped into a physicallocation or a place. The location context can be used, by way ofnon-limiting example, to gather complete understanding with regard tothe true scope and size of an organization (i.e., in the form of anetwork topology map).

CIM may also maintain the global authoritative state of situational andenvironmental information by synthesizing contextual information sharedby multiple data sources over DXL ESB 130.

FIG. 5 is a block diagram of a DXL broker according to one or moreexamples of the present specification. In some embodiments, DXL broker110, DXL services 190, and JTI server 150 may be provided in a singlephysical computing device.

In an example, DXL broker 110 is controlled by a processor 510.Processor 510 may connect to other system elements via system bus 570.Those other elements may include, by way of non-limiting example, amemory 520, network interface 540, and storage 550.

Processor 510 is configured to control DXL broker 110, for example viaexecutable software or firmware instructions. A “processor” as usedherein includes any combination of hardware, software, or firmwareproviding programmable logic, including by way of non-limiting example amicroprocessor, digital signal processor, field-programmable gate array,programmable logic array, application-specific integrated circuit, orvirtual machine processor.

Memory 520 may be a relatively low-latency volatile memory in someembodiments, and may include main memory, cache, on-chip memory, L1memory, L2 memory, or similar. Note that in this embodiment, processor510 is depicted in a direct memory access arrangement with memory 520,but in other embodiments, memory 520 may communicate with processor 510via system bus 570, via some other bus, or via some other means.Furthermore, although memory 520 and storage 550 are depicted in thisexample as physically or conceptually separate devices, it should beappreciated that in some embodiments, memory 520 and storage 550 mayshare a physical device, which may or may not be divided into separatememory areas. Thus, it should be appreciated that the arrangementdisclosed here is an example only, and not limiting. Rather, it isexpressly intended that even where a memory and storage are spoken ofseparately, they may be embodied in a single physical or logical deviceunless expressly stated otherwise.

In this example, network interface 540 provides a physical and logicalinterface to DXL ESB 130, and includes any communication medium, whetheranalog, digital, or mixed-signal, that is configured to communicativelycouple client 120 to other computing devices. Network interface 540 mayinclude, by way of non-limiting example, a WiFi, Ethernet, Firewire,fiber optic, USB, serial interface, infrared, or cellular network,digital PCS network, 2G data network, 3G data network, 4G WiMAX, or 4GLTE data network. In some embodiments, network interface 540 may alsoprovide a physical and logical interface to IP network 310.

Storage 550 is disclosed as an example of a non-volatile memory medium,which may be a species of memory 520. In some embodiments, memory 520and storage 550 may be separate devices, with memory 520 being arelatively low-latency volatile memory device, and storage 550 being arelatively high-latency non-volatile memory device. Storage 550 may alsobe another device, such as a hard drive, solid-state drive, externalstorage, redundant array of independent disks (RAID), network-attachedstorage, optical storage, tape drive, backup system, or any combinationof the foregoing. Many other configurations are also possible, and areintended to be encompassed within the broad scope of this specification.

In an example, memory 520 includes DXL broker 522 and DXL servicessoftware 526. DXL broker 522 provides DXL broker services as describedherein. DXL services software 526 may provide DXL client services or DXLbroker 110. For example, DXL broker 110 may subscribe to certain typesof messages in a client capacity.

FIG. 6 is a block diagram of a CIM server 410 according to one or moreexamples of the present specification. In an example, CIM server 410 iscontrolled by a processor 610. Processor 610 may connect to other systemelements via system bus 670. Those other elements may include, by way ofnon-limiting example, a memory 620, network interface 640, and storage650. Reference is made to corresponding elements in FIG. 5, whichcontains additional details and definitions.

Memory 620 may include CIM server software 622. CIM server software 622may be configured to provide CIM services as described herein.

Storage 650 may include a local object database 652. Object database 652may contain stored information about objects on the network, including,for example, reputations and metadata.

FIG. 7 is a block diagram of a domain master 160 according to one ormore examples of the present specification. In an example, domain master160 is controlled by a processor 710. Processor 710 may connect to othersystem elements via system bus 770. Those other elements may include, byway of non-limiting example, a memory 720, network interface 740, andstorage 750. Reference is made to corresponding elements in FIG. 5,which contains additional details and definitions.

In an example, memory 720 includes domain master software 722 and DXLextension 724. Domain master software 722 may be configured to providedomain master services as described herein. DXL extensions 724 mayprovide server extensions that allow domain master 160 to operate on DXLESB 130. In some embodiments, DXL extension 724 may include instructionsthat permit domain master 160 to act as a DXL client in some situations.

FIG. 8 is a block diagram of a client 120 according to one or moreexamples of the present specification. Client 120 is controlled by aprocessor 810, which is communicatively coupled to a memory element 820.In an example, processor 810 is communicatively coupled to other systemelements via bus 870. Those elements may include, by way of non-limitingexample, a network interface 840, storage 850, which in some cases maybe a species of memory element 820, and a user interface 860. It isexpressly intended that any of the above elements can be realized inhardware, software, firmware, or any combination thereof.

In some embodiments, a user interface 860 may be provided to aid a userin interacting with client 120. A “user interface” includes anycombination of hardware, software, and firmware configured to enable auser to interact with client 120, whether or not in real-time. In theexample, user interface 360 may include, by way of non-limiting example,a keyboard (not shown), mouse (not shown), display monitor 842, speaker846, microphone 844, touch-sensitive display, which may act as acombined input/output device, and which may be a species of display 842,and a camera 848. User interface 860 may include software services suchas a graphical user interface, including real-time dialog boxes thatsolicit input or confirmation from a user.

In an example, memory 820 has stored therein executable instructionsoperable to provide software services, which may be contained in severaldistinct modules. A DXL client 826 may provide software services forinteracting with DXL ESB 130, and may include, for example, certificatesauthenticating client 120 on DXL ESB 130, subroutines for publishingmessages, and subroutines for parsing subscribed incoming messages. CIMclient 822 may provide CIM services as described with more particularityin relation to FIG. 4. CIM client 822 may also maintain a comprehensivecatalog of stored objects 852, including for example a comprehensivecatalog of installed applications. JTI client 824 may provide JTI clientservices, such as local reputation management and interactions with JTIserver 150. Client 120 may also have a separate antimalware agent 828,which may provide antivirus and other antimalware services. In somecases, antimalware agent 828 is integrated with JTI client 824.

FIG. 9 is a flow diagram illustrating evaluation of an object in ahierarchical manner according to one or more examples of the presentspecification.

In this example, policies on the left are designated as “black,” anddeterministically block an object, while policies on the right aredesignated as “white,” and deterministically allow an object. By way ofnon-limiting example, the policies of FIG. 9 are disclosed as a fixedhierarchy. However, this is not intended to be limiting. For example, inother embodiments, policies may be weighted, or serviced in around-robin fashion. Furthermore, in embodiments where a hierarchy isused, this particular hierarchy is not required.

In block 910, an administrator, which may be either or both of a humanoperator or a device with administrative credentials, may assign a“black” override to the object, which may be identified by a hash. Inblock 912, the administrator may provide a “white” override to an objectidentified by a hash.

In block 920, an administrator may assign a black override to an objectidentified by a certificate. In block 922, an administrator may assign awhite override to an object identified by a certificate.

In block 930, threat intelligence service 180 may assign a black statusbased on a certificate. In block 932, threat intelligence service 180may assign an object a white status based on a certificate.

In block 940, threat intelligence service 180 may assign an object blackstatus based on a hash. In block 942, threat intelligence service 180may assign an object white status based on a hash.

In block 950, malware definitions may identify an object as black, whilein block 952, malware definitions may identify the object as white.

In block 960, JTI rules may assume that the object is dirty. In block962, JTI rules may assume that the object is clean.

JTI client 824 may prompt an end user, via user interface 860, toconfirm executing or opening an object. If the user declines, then inblock 970 the object is blocked. If the user confirms, then in block 972the object is allowed.

In block 980, if the object has passed all the preceding filters, adecision to either block or allow the object depends on JTI policies andalgorithms. This may include requesting a reputation for the object.

FIG. 10 is a flow diagram of a method performed by a client 120according to one or more examples of the present specification. In block1010, client 120 opens a new object. This may be, for example, because auser interacts with the object, or because an automated processinteracts with the object. In block 1020, client 120 checks to see ifthe object has a cache reputation in its local reputation database. Ifthe object has an existing reputation, then in block 1030, client 120may make a decision to either block or allow the object. In someexamples, client 120 may publish the block or allow decision over DXLESB 130. This allows other DXL network objects that have subscribed tosuch updates to receive and integrate the decision. In block 1022, ifthere is no cache reputation, then client 120 may request a reputationfrom JTI server 150. In block 1024, client 120 may receive a reputationdata from JTI server 150, whereupon control passes to block 130. Asshown by the looping arrow back to 1010, this process may be repeatedfor each new object.

FIG. 10A is a flow diagram of a method performed by JTI server 150 inconnection with the method of FIG. 10 according to one or more exampleembodiments of the present specification. In block 1040, JTI server 150receives a reputation request from client 120. In block 1060, JTI server150 may query its local database to find whether the object is alreadyknown. If the object is known, then in block 1070, JTI server 150 mayupdate its local threat intelligence database. This may include, forexample, noting the circumstances of the request from client 120. Inblock 1080, JTI server 150 may return the reputation data to client 120.In block 1090, the method is complete.

Returning to block 1060, if the object is not known, then in block 1050JTI server 150 may request information from the threat intelligenceservice 180. In block 1052, JTI server 150 receives threat intelligencedata from threat intelligence service 180, and in block 1070 updates itslocal JTI database with the received intelligence. Again in block 1080,the intelligence is returned to client 120, and in block 1090 theprocess is done.

Block 1034 represents an alternate entry point into the method. At block1034, a JTI server 150 receives a published decision, for example adecision to be published by client 120 according to the method of FIG.10. Depending on the network configuration, JTI server 150 may subscribeto published block/allow decisions, and in block 1070 may use apublished decision to update its local database. In this case, controlpasses directly from block 1080 to block 1090.

FIG. 11 is a flow diagram of a method of a JTI server 150 servicing areputation request according to one or more examples of the presentspecification. In some embodiments, the method of FIG. 11 may beperformed in connection with block 1080 of FIG. 10A. In block 1110, anadministrator may enter white or black overrides, for example asdisclosed in connection with FIG. 9. Block 1040 corresponds to block1040 of FIG. 10A, in which the JTI server 150 receives a reputationrequest from client 120. In block 1130, JTI server 150 checks to seewhether the administrator has entered an override, such as anenterprise-wide override. In particular, an override may remove thedecision of whether to allow or block the object. Instead, the overridemay deterministically allow or block the object. Thus, in block 1140,JTI server 150 returns the override to client 120. In block 1130, ifthere is no enterprise override, then in block 1150, JTI server 150returns the reputation for client 120 to act on.

FIG. 12 is a flow diagram of an enhancement to the method of FIG. 10Aaccording to one or more examples of the present specification. Blocksin FIG. 12 with numbering identical to the blocks in FIG. 10A may beidentical in function to that of blocks disclosed in FIG. 10A.

New block 1210 queries whether threat intelligence is available fromthreat intelligence service 180. If threat intelligence is available,then in block 1052, JTI server 150 receives the threat intelligence aswith FIG. 10A. In block 1220, if no threat intelligence is available,then JTI server 150 may send the object to ATD 370 for analysis. Ratherthan respond directly to the request, ATD 370 may publish reputationdata for the object once it has completed its analysis. In block 1230,JTI server 150 may subscribe to published reputation data messages, andthus may receive the DXL message published by ATD 370. The remainder ofthe method may be unchanged.

The foregoing outlines features of several embodiments so that thoseskilled in the art may better understand the aspects of the presentdisclosure. Those skilled in the art should appreciate that they mayreadily use the present disclosure as a basis for designing or modifyingother processes and structures for carrying out the same purposes and/orachieving the same advantages of the embodiments introduced herein.Those skilled in the art should also realize that such equivalentconstructions do not depart from the spirit and scope of the presentdisclosure, and that they may make various changes, substitutions, andalterations herein without departing from the spirit and scope of thepresent disclosure.

The particular embodiments of the present disclosure may readily includea system on chip (SOC) central processing unit (CPU) package. An SOCrepresents an integrated circuit (IC) that integrates components of acomputer or other electronic system into a single chip. It may containdigital, analog, mixed-signal, and radio frequency functions: all ofwhich may be provided on a single chip substrate. Other embodiments mayinclude a multi-chip-module (MCM), with a plurality of chips locatedwithin a single electronic package and configured to interact closelywith each other through the electronic package. In various otherembodiments, the digital signal processing functionalities may beimplemented in one or more silicon cores in application specificintegrated circuits (ASICs), field programmable gate arrays (FPGAs), andother semiconductor chips.

In example implementations, at least some portions of the processingactivities outlined herein may also be implemented in software. In someembodiments, one or more of these features may be implemented inhardware provided external to the elements of the disclosed FIGUREs, orconsolidated in any appropriate manner to achieve the intendedfunctionality. The various components may include software (orreciprocating software) that can coordinate in order to achieve theoperations as outlined herein. In still other embodiments, theseelements may include any suitable algorithms, hardware, software,components, modules, interfaces, or objects that facilitate theoperations thereof.

Additionally, some of the components associated with describedmicroprocessors may be removed, or otherwise consolidated. In a generalsense, the arrangements depicted in the FIGURES may be more logical intheir representations, whereas a physical architecture may includevarious permutations, combinations, and/or hybrids of these elements. Itis imperative to note that countless possible design configurations canbe used to achieve the operational objectives outlined herein.Accordingly, the associated infrastructure has a myriad of substitutearrangements, design choices, device possibilities, hardwareconfigurations, software implementations, equipment options, etc.

Any suitably-configured processor component can execute any type ofinstructions associated with the data to achieve the operations detailedherein. Any processor disclosed herein could transform an element or anarticle (for example, data) from one state or thing to another state orthing. In another example, some activities outlined herein may beimplemented with fixed logic or programmable logic (for example,software and/or computer instructions executed by a processor) and theelements identified herein could be some type of a programmableprocessor, programmable digital logic (for example, a field programmablegate array (FPGA), an erasable programmable read only memory (EPROM), anelectrically erasable programmable read only memory (EEPROM)), an ASICthat includes digital logic, software, code, electronic instructions,flash memory, optical disks, CD-ROMs, DVD ROMs, magnetic or opticalcards, other types of machine-readable mediums suitable for storingelectronic instructions, or any suitable combination thereof. Inoperation, processors may store information in any suitable type ofnon-transitory storage medium (for example, random access memory (RAM),read only memory (ROM), field programmable gate array (FPGA), erasableprogrammable read only memory (EPROM), electrically erasableprogrammable ROM (EEPROM), etc.), software, hardware, or in any othersuitable component, device, element, or object where appropriate andbased on particular needs. Further, the information being tracked, sent,received, or stored in a processor could be provided in any database,register, table, cache, queue, control list, or storage structure, basedon particular needs and implementations, all of which could bereferenced in any suitable timeframe. Any of the memory items discussedherein should be construed as being encompassed within the broad term‘memory.’ Similarly, any of the potential processing elements, modules,and machines described herein should be construed as being encompassedwithin the broad term ‘microprocessor’ or ‘processor.’

Computer program logic implementing all or part of the functionalitydescribed herein is embodied in various forms, including, but in no waylimited to, a source code form, a computer executable form, and variousintermediate forms (for example, forms generated by an assembler,compiler, linker, or locator). In an example, source code includes aseries of computer program instructions implemented in variousprogramming languages, such as an object code, an assembly language, ora high-level language such as OpenCL, Fortran, C, C++, JAVA, or HTML foruse with various operating systems or operating environments. The sourcecode may define and use various data structures and communicationmessages. The source code may be in a computer executable form (e.g.,via an interpreter), or the source code may be converted (e.g., via atranslator, assembler, or compiler) into a computer executable form.

In the discussions of the embodiments above, the capacitors, buffers,graphics elements, interconnect boards, clocks, DDRs, camera sensors,dividers, inductors, resistors, amplifiers, switches, digital core,transistors, and/or other components can readily be replaced,substituted, or otherwise modified in order to accommodate particularcircuitry needs. Moreover, it should be noted that the use ofcomplementary electronic devices, hardware, non-transitory software,etc. offer an equally viable option for implementing the teachings ofthe present disclosure.

In one example, any number of electrical circuits of the FIGURES may beimplemented on a board of an associated electronic device. The board canbe a general circuit board that can hold various components of theinternal electronic system of the electronic device and, further,provide connectors for other peripherals. More specifically, the boardcan provide the electrical connections by which the other components ofthe system can communicate electrically. Any suitable processors(inclusive of digital signal processors, microprocessors, supportingchipsets, etc.), memory elements, etc. can be suitably coupled to theboard based on particular configuration needs, processing demands,computer designs, etc. Other components such as external storage,additional sensors, controllers for audio/video display, and peripheraldevices may be attached to the board as plug-in cards, via cables, orintegrated into the board itself. In another example, the electricalcircuits of the FIGURES may be implemented as stand-alone modules (e.g.,a device with associated components and circuitry configured to performa specific application or function) or implemented as plug-in modulesinto application specific hardware of electronic devices.

Note that with the numerous examples provided herein, interaction may bedescribed in terms of two, three, four, or more electrical components.However, this has been done for purposes of clarity and example only. Itshould be appreciated that the system can be consolidated in anysuitable manner. Along similar design alternatives, any of theillustrated components, modules, and elements of the FIGURES may becombined in various possible configurations, all of which are clearlywithin the broad scope of this Specification. In certain cases, it maybe easier to describe one or more of the functionalities of a given setof flows by only referencing a limited number of electrical elements. Itshould be appreciated that the electrical circuits of the FIGURES andits teachings are readily scalable and can accommodate a large number ofcomponents, as well as more complicated/sophisticated arrangements andconfigurations. Accordingly, the examples provided should not limit thescope or inhibit the broad teachings of the electrical circuits aspotentially applied to a myriad of other architectures.

Numerous other changes, substitutions, variations, alterations, andmodifications may be ascertained to one skilled in the art and it isintended that the present disclosure encompass all such changes,substitutions, variations, alterations, and modifications as fallingwithin the scope of the appended claims. In order to assist the UnitedStates Patent and Trademark Office (USPTO) and, additionally, anyreaders of any patent issued on this application in interpreting theclaims appended hereto, Applicant wishes to note that the Applicant: (a)does not intend any of the appended claims to invoke paragraph six (6)of 35 U.S.C. section 112 as it exists on the date of the filing hereofunless the words “means for” or “steps for” are specifically used in theparticular claims; and (b) does not intend, by any statement in thespecification, to limit this disclosure in any way that is not otherwisereflected in the appended claims.

EXAMPLE IMPLEMENTATIONS

There is disclosed in one example a data exchange layer (DXL) broker,comprising: a hardware platform comprising a processor; and instructionsencoded in a memory to instruct the processor to: communicatively coupleto a DXL fabric configured to operate a one-to-many (1:N, N>1)publish-subscribe fabric; provide an interface to authenticate andregister DXL endpoints with the DXL broker; and provide DXL messaging,comprising maintaining a routing table of registered DXL endpoints;receiving from a first registered DXL endpoint a one-to-one (1:1)request for an endpoint of the DXL fabric, wherein the endpoint is not aregistered DXL endpoint of the broker; and publishing the 1:1 request tothe DXL fabric.

There is further disclosed a DXL broker, wherein providing DXL messagingfurther comprises: receiving a 1:1 response to the request; identifyingthe first registered DXL endpoint as a destination for the 1:1 response;and forwarding the 1:1 response to the first registered DXL endpoint.

There is further disclosed a DXL broker, wherein the instructions arefurther to instruct the processor to provide message queueing telemetrytransport (MQQT) messaging to support the DXL messaging.

There is further disclosed a DXL broker, wherein the instructions arefurther to discover a client property of the first registered DXLendpoint.

There is further disclosed a DXL broker, wherein the client property isselected from the group consisting of client IP address, clientoperating system, and logged-in username.

There is further disclosed a DXL broker, wherein the logic is furtherto: receive a subscription of a second registered DXL endpoint to atopic; receive a DXL message of the topic; and forward the message tothe second registered DXL endpoint.

There is further disclosed a DXL broker, wherein coupling to the DXLfabric comprises operating a two-layer protocol, wherein a bottom layeris a secure, low-latency data transport fabric and a top layer is anextensible data exchange framework.

There is further disclosed a DXL broker, wherein the logic is furtherconfigured to provide loose integration of network elements.

There is further disclosed a DXL broker, wherein the interface is aplug-and-play application programming interface (API) comprising supportfor loose integration of heterogeneous devices.

There are also disclosed one or more tangible, non-transitorycomputer-readable mediums having stored thereon executable instructionsto: communicatively couple to a DXL fabric configured to provide aone-to-many (1:N, N>1) publish-subscribe fabric; provide an applicationprogramming interface (API) to register DXL endpoints with a DXL broker;and maintain a routing table of registered DXL endpoints; receive from aregistered DXL endpoint a one-to-one (1:1) request for a remote endpointof the DXL fabric; and publish the 1:1 request for the remote endpointto the DXL fabric, wherein the request is posted to a DXL topic specificto the remote endpoint.

There are further disclosed one or more tangible, non-transitorycomputer-readable mediums, wherein the instructions are further to:receive a 1:1 response to the request; identify the registered DXLendpoint as a destination for the 1:1 response according to a topicspecific to the registered DXL endpoint; and forward the 1:1 response tothe registered DXL endpoint.

There are further disclosed one or more tangible, non-transitorycomputer-readable mediums, wherein the instructions are further toprovide message queueing telemetry transport (MQQT) messaging to supportDXL messaging.

There are further disclosed one or more tangible, non-transitorycomputer-readable mediums, wherein the instructions are further todiscover a client property of the registered DXL endpoint.

There are further disclosed one or more tangible, non-transitorycomputer-readable mediums, wherein the client property is selected fromthe group consisting of client IP address, client operating system, andlogged-in username.

There are further disclosed one or more tangible, non-transitorycomputer-readable mediums, wherein the instructions are further to:receive a subscription of the registered DXL endpoint to a topic;receive a DXL message of the topic; and forward the message to thesecond registered DXL endpoint.

There are further disclosed one or more tangible, non-transitorycomputer-readable mediums, wherein coupling to the DXL fabric comprisesoperating a two-layer protocol, wherein a bottom layer is a secure,low-latency data transport fabric and a top layer is an extensible dataexchange framework.

There are further disclosed one or more tangible, non-transitorycomputer-readable mediums, wherein the logic is further configured toprovide loose integration of network elements.

There are further disclosed one or more tangible, non-transitorycomputer-readable mediums, wherein the API is a plug-and-play APIcomprising support for loose integration of heterogeneous devices.

There is also disclosed a computer-implemented method of providing a DXLbroker, comprising: communicatively coupling to a DXL fabric configuredto provide a one-to-many (1:N, N>1) publish-subscribe fabric; providingan application programming interface (API) to register DXL endpointswith the DXL broker; and maintaining a routing table of registered DXLendpoints; receiving from a registered DXL endpoint a one-to-one (1:1)request for a remote endpoint of the DXL fabric; and publishing the 1:1request for the remote endpoint to the DXL fabric.

There is further disclosed a method, further comprising: receiving a 1:1response to the request; identifying the registered DXL endpoint as adestination for the 1:1 response according to a topic specific to theregistered DXL endpoint; and forwarding the 1:1 response to theregistered DXL endpoint.

There is further disclosed a method, further comprising providingmessage queueing telemetry transport (MQQT) messaging to support DXLmessaging.

There is further disclosed a method, further comprising discovering aclient property of the registered DXL endpoint.

There is further disclosed a method, wherein the client property isselected from the group consisting of client IP address, clientoperating system, and logged-in username.

There is further disclosed a method, further comprising: receiving asubscription of the registered DXL endpoint to a topic; receiving a DXLmessage of the topic; and forwarding the message to the secondregistered DXL endpoint.

There is further disclosed a method, wherein coupling to the DXL fabriccomprises operating a two-layer protocol, wherein a bottom layer is asecure, low-latency data transport fabric and a top layer is anextensible data exchange framework.

There is further disclosed a method, further comprising providing looseintegration of network elements.

There is further disclosed a method, wherein the API is a plug-and-playAPI comprising support for loose integration of heterogeneous devices.

What is claimed is:
 1. A data exchange layer (DXL) broker, comprising: ahardware platform comprising a processor; and instructions encoded in amemory to instruct the processor to: communicatively couple to a DXLfabric configured to operate a one to-many (1:N, N>1) publish-subscribefabric; provide an interface to authenticate and register DXL endpointswith the DXL broker; and provide DXL messaging, comprising maintaining arouting table of registered DXL endpoints; receiving from a firstregistered DXL endpoint a one-to-one (1:1) request for an endpoint ofthe DXL fabric, wherein the endpoint is not a registered DXL endpoint ofthe broker; and publishing the 1:1 request to the DXL fabric.
 2. The DXLbroker of claim 1, wherein providing DXL messaging further comprises:receiving a 1:1 response to the request; identifying the firstregistered DXL endpoint as a destination for the 1:1 response; andforwarding the 1:1 response to the first registered DXL endpoint.
 3. TheDXL broker of claim 1, wherein the instructions are further to instructthe processor to provide message queueing telemetry transport (MQQT)messaging to support the DXL messaging.
 4. The DXL broker of claim 1,wherein the instructions are further to discover a client property ofthe first registered DXL endpoint.
 5. The DXL broker of claim 4, whereinthe client property is selected from the group consisting of client IPaddress, client operating system, and logged-in username.
 6. The DXLbroker of claim 1, wherein the logic is further to: receive asubscription of a second registered DXL endpoint to a topic; receive aDXL message of the topic; and forward the message to the secondregistered DXL endpoint.
 7. The DXL broker of claim 1, wherein couplingto the DXL fabric comprises operating a two-layer protocol, wherein abottom layer is a secure, low-latency data transport fabric and a toplayer is an extensible data exchange framework.
 8. The DXL broker ofclaim 1, wherein the logic is further configured to provide looseintegration of network elements.
 9. The DXL broker of claim 1, whereinthe interface is a plug-and-play application programming interface (API)comprising support for loose integration of heterogeneous devices. 10.One or more tangible, non-transitory computer-readable mediums havingstored thereon executable instructions to: communicatively couple to aDXL fabric configured to provide a one-to-many (1:N, N>1)publish-subscribe fabric; provide an application programming interface(API) to register DXL endpoints with a DXL broker; and maintain arouting table of registered DXL endpoints; receive from a registered DXLendpoint a one-to-one (1:1) request for a remote endpoint of the DXLfabric; and publish the 1:1 request for the remote endpoint to the DXLfabric, wherein the request is posted to a DXL topic specific to theremote endpoint.
 11. The one or more tangible, non-transitorycomputer-readable mediums of claim 10, wherein the instructions arefurther to: receive a 1:1 response to the request; identify theregistered DXL endpoint as a destination for the 1:1 response accordingto a topic specific to the registered DXL endpoint; and forward the 1:1response to the registered DXL endpoint.
 12. The one or more tangible,non-transitory computer-readable mediums of claim 10, wherein theinstructions are further to provide message queueing telemetry transport(MQQT) messaging to support DXL messaging.
 13. The one or more tangible,non-transitory computer-readable mediums of claim 10, wherein theinstructions are further to discover a client property of the registeredDXL endpoint.
 14. The one or more tangible, non-transitorycomputer-readable mediums of claim 13, wherein the client property isselected from the group consisting of client IP address, clientoperating system, and logged-in username.
 15. The one or more tangible,non-transitory computer-readable mediums of claim 10, wherein theinstructions are further to: receive a subscription of the registeredDXL endpoint to a topic; receive a DXL message of the topic; and forwardthe message to the second registered DXL endpoint.
 16. The one or moretangible, non-transitory computer-readable mediums of claim 10, whereincoupling to the DXL fabric comprises operating a two-layer protocol,wherein a bottom layer is a secure, low-latency data transport fabricand a top layer is an extensible data exchange framework.
 17. The one ormore tangible, non-transitory computer-readable mediums of claim 10,wherein the logic is further configured to provide loose integration ofnetwork elements.
 18. The one or more tangible, non-transitorycomputer-readable mediums of claim 10, wherein the API is aplug-and-play API comprising support for loose integration ofheterogeneous devices.
 19. A computer-implemented method of providing aDXL broker, comprising: communicatively coupling to a DXL fabricconfigured to provide a one-to-many (1:N, N>1) publish-subscribe fabric;providing an application programming interface (API) to register DXLendpoints with the DXL broker; and maintaining a routing table ofregistered DXL endpoints; receiving from a registered DXL endpoint aone-to-one (1:1) request for a remote endpoint of the DXL fabric; andpublishing the 1:1 request for the remote endpoint to the DXL fabric.20. The method of claim 19, further comprising: receiving a 1:1 responseto the request; identifying the registered DXL endpoint as a destinationfor the 1:1 response according to a topic specific to the registered DXLendpoint; and forwarding the 1:1 response to the registered DXLendpoint.